[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Multiple decision result of type xpathExpression
The section 2.2.3 of the XACML v3.0 Multiple Decision Profile v1.0 states that: Each Individual Decision Request SHALL be identical to the original request context with two exceptions: the "multiple:content-selector" attribute SHALL NOT be present and an added "content-selector" attribute value SHALL be an XPath expression that evaluates to a single node in the <Content> element. The spec intentionally leaves the exact syntax of the XPath expression as an implementation detail. Balana returns an invalid XPath expression and I'm looking for guidance what should be returned instead. The obvious answer is to return something like /parent/child What should be done with elements in a namespace? What is the namespace context of the returned XPath expression? Can the PDP augment the response with namespace declarations that it needs in the XPath expression? The work-around for the lack of namespace context would be to write a predicate /*[local-name()='parent' and namespace-uri()='http://ns.com']/*[local-name()='child' and namespace-uri()='http://ns.com']/ A predicate is already required to distinguish identical siblings with their index. The complicated predicate works but I wonder if that's the solution the authors had in mind.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]